Quantum private queries

ABSTRACT

In a database query operation, a quantum private query (QPQ) protocol allows a user to determine whether the database provider has been trying to obtain information about their query by performing quantum superpositions of different queries in addition to performing normal queries. This means that, in addition to being able to request the jth or the kth records in the database, the user can also request both records in a quantum superposition. To find out whether the database provider is trying to discover her queries, the user sends proper superpositions of queries and then checks the answer provided by the database to determine whether the superposition has been preserved. If superposition has not been preserved, the user can be confident that the database provider has cheated, and has tried to obtain information on the query.

BACKGROUND

This invention relates to quantum cryptography, and more particularly toapparatus and methods for encoding information in physical carriers toallow a first party to interrogate a database in possession of a secondparty in such a way that the first party can access only a limited partof the database, and the second party cannot discover which informationwas accessed.

Privacy is a major concern in many information transactions. A familiarexample is provided by the transactions between web search engines andtheir users. In a typical transaction, a user (called “Alice” in thediscussion below) accesses data held in a database controlled by aprovider (called “Bob” in the discussion below). On one hand, Alicewould typically prefer not to reveal to Bob the item in which she isinterested (a “user privacy” problem). On the other hand, Bob ownerwould like not to disclose more information than that Alice has askedfor (a “data privacy” problem). Typically, user privacy and data privacyare in conflict. The most straightforward way to obtain user privacy isfor Alice to have Bob send her the entire database contents, leading tono data privacy whatsoever. Conversely, techniques for guaranteeing dataprivacy typically leave the user vulnerable (see for example, Y.Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin, Journal of ComputerSystems Sciences, 60:592, 2000).

At an information theory level, this problem has been formalized byGertner et al., as the Symmetrical Private Information Retrieval (SPIR)problem (Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin. Journal ofComputer Systems Sciences, 60:592, 2000). This work is a generalizationof the Private Information Retrieval (PIR) problem, which deals withuser privacy alone. Private Information Retrieval has a large body ofwork devoted to it. Examples are disclosed in U.S. Pat. Nos. 5,855,018;6,167,392; 6,438,554; 7,013,295 and 7,231,047. Other articles on thesubject include “Private Retrieval of Digital Objects”, B. Chor, O.Goldreich, E. Kushilevitz, and M. Sudan, Journal of the ACM, 45:965,1998; C. Cachin, S. Micali, and M. Stadler. in Advances inCryptology—EUROCRYPT99, 1999; C. Gentry and Z. Ramzan in Proc. 32ndICALP, pages 803-815, 2005; S. Yekhanin, Technical Report ECCC TR06-127,2006; E. Kushilevitz and R. Ostrovsky in Proc. 38th IEEE SymposiumFOCS97, page 364, 1997).

Symmetrical Private Information Retrieval is closely related (G. DiCrescenzo, T. Malkin, and R. Ostrovsky in LNCS, 1807:122-138, 2000) tooblivious transfer. In an oblivious transfer, Bob sends to Alice N bits,out of which Alice can access exactly one bit-which one bit, Bob doesn'tknow (S. Wiesner, ACM SIGACT News, 15:78, 1983; M. O. Rabin. TechnicalReport TR-81, Harvard Aiken Computational Laboratory, 1981; A. Jakoby,M. Liskiewicz, and A. Madry, arXiv: quant-phl0605150, 2006; G. Brassard,C. Cr'epeau, and J. M. Robert in Advances in Cryptology-Crypto86, page234, 1987).

One problem with conventional cryptographic protocols is that they allrequire some assumption on the computational or technological power ofeavesdropper. A sufficiently powerful eavesdropper can always interceptthe information exchanged by distant parties by attacking some stage ofthe protocol. In any case, SPIR ensures data privacy only in the case ofhonest users (an honest user is defined as one who does not want tocompromise her chances of getting the information about the selecteditem in order to get more). Quantum cryptography permits a wealth ofalgorithms where security is enforced by physical laws (unconditionalsecurity). No matter how powerful an eventual eavesdropper is, he cannotdiscover the information that the legitimate parties are exchanging.Quantum cryptographic protocols are disclosed in U.S. Pat. Nos.5,307,410; 5,243,649; 5,850,441 and 6,678,379, 2004 and in an articleentitled “Quantum key distribution method and apparatus”, C. H. Bennettand G. Brassard, Proc. IEEE Int. Conf. on Computers, Systems and SignalProcessing, Bangalore, India, pages 175-179, 2003.

However, no efficient solutions in terms of both communication andcomputational complexity are known for SPIR (A. Ambainis in Proceedingsof the 24th ICALP, Lecture Notes in Computer Science, 1256:401, 1997).Indeed, even rephrasing the known solutions at a quantum level, the bestknown solution for the SPIR problem (with a single database server)requires O(N) qubits to be exchanged between the server and the user,where N is the number of items contained in the database (I. Kerenidisand R. de Wolf, arXiv: quant-ph/0208062, 2002; I. Kerenidis and R. deWolf, arXiv: quant-ph/0307076, 2003).

Slightly better performances can be obtained by assuming the existenceof multiple non-mutually communicating replicas of the servers, seeRefs. (B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, Journal ofthe ACM, 45:965, 1998; C. Cachin, S. Micali, and M. Stadler, in Advancesin Cryptology-EUROCRYPT99, 1999; C. Gentry and Z. Ramzan in Proc. 32ndICALP, pages 803-815, 2005; S. Yekhanin. Technical Report ECCC TR06-127,2006). Moreover sub-linear communication complexity can be achievedunder the some computational complexity assumption, e.g. (E. Kushilevitzand R. Ostrovsky, in Proc. 38th IEEE Symposium FOCS97, page 364, 1997).Nevertheless, no conventional single server PIR or SPIR solutions have acommunication complexity or computational complexity substantially lessthan O(N) (B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, Journalof the ACM, 45:965, 1998; C. Cachin, S. Micali, and M. Stadler inAdvances in Cryptology—EUROCRYPT99, 1999; C. Gentry and Z. Ramzan inProc. 32nd ICALP, pages 803-815, 2005; S. Yekhanin, Technical ReportECCC TR06-127, 2006; E. Kushilevitz and R. Ostrovsky in Proc. 38th IEEESymposium FOCS97, page 364, 1997).

SUMMARY

In accordance with the principles of the invention, rather than insuringcomplete user privacy and data privacy, a quantum private query (QPQ)protocol ensures complete data privacy and allows a user to determinewhether the database provider has been trying to obtain informationabout their query. In accordance with the QPQ protocol, during adatabase access, quantum superpositions of different queries areperformed in addition to performing normal queries. This means that, inaddition to being able to request the jth or the kth records in thedatabase, the user can also request both records in a quantumsuperposition. To find out whether the database provider is trying todiscover her queries, the user sends proper superpositions of queriesand then checks the answer provided by the database to determine whetherthe superposition has been preserved. If superposition has not beenpreserved, the user can be confident that the database provider hascheated, and has tried to obtain information on the query because anycapture of information by the database provider would have induced adisturbance. With respect to (classical or quantum) SPIR and oblivioustransfer protocols, QPQ presents an exponential reduction incommunication complexity.

In one embodiment, the quantum superposition comprises a fixedsuperposition of an actual query and a fixed reference query.

In another embodiment, the quantum superposition comprises an arbitrarysuperposition of an actual query and a fixed reference query.

Instill another embodiment, the quantum superposition comprises asuperposition of an actual query and a random query.

In yet another embodiment which does not require that the providerpossess a quantum memory, the user prepares the state superpositionsnecessary to interrogate the database.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic block diagram of a first embodiment of the QPQprotocol 100 which utilizes a superposition of a query with a fixedreference query.

FIG. 2 is a schematic block diagram of the second embodiment of the QPQprotocol in which a superposition of two queries is used.

FIG. 3 is a block schematic diagram of a qRAM protocol to address anarray of N=2^(n) memory cells 304 containing k bits (or qubits) each.

FIG. 4 is a block schematic diagram of a multimode-encodingimplementation of the protocol which does not use the qRAM portion ofthe protocol.

DETAILED DESCRIPTION

The first embodiment of the QPQ protocol shown in FIG. 1 is based onAlice sending superpositions of her query and a fixed reference query(called a “rhetoric query”). In this embodiment, to submit her query onthe jth record of Bob's database, Alice uses an n qubit memory registerQ. This register allows her to interrogate a database of up to N=2^(n)elements. To test whether Bob is cheating and is trying to discover herquery, she submits a superposition of queries. Using the encoder 104,she prepares two copies of the register Q. The first copy 105 isinitialized as:

|j

  (1) and

the second copy 106 is initialized as (|j

₂+|0

₂)/√{square root over (2)}  (2)

In this embodiment it is assumed that 0th record in Bob's databasecontains a fixed reference value known to Alice (the “rhetoric query”).

Alice then randomly chooses one of these two registers and sends it toBob. He interrogates his database using it as an index register andemploying a qRAM algorithm 107 such as that described below. The qRAMalgorithm returns a second register R which contains the answer to thequery, and which may be entangled with the register Q, if the query wasin the superposition state (without loss of generality we can assume Rto be a single qubit). Bob sends back to Alice the R register 108 or 109and the Q register which he received.

Alice then sends Bob the second Q register, which, again, is employed byBob to interrogate his database. Bob then sends the new Q register backto Alice together with a new R register containing the answer to hersecond query. It is important to stress that Bob never knows if theregister he receives from Alice is the register 106 containing thequantum superposition or the other register 105 which does not contain aquantum superposition. This means Bob does not know which measurementcould extract information on j without disturbing the register. Thenumber of exchanged qubits is 2(n+1)=2(log N+1) (of these only twoqubits contain information on the database).

In attempting to obtain information about Alice's state, Bob must try todistinguish between two possible states that have an overlap 1/√{squareroot over (2)}. That is, Bob's position is isomorphic to that of “Eve”in conventional quantum cryptography, and any attempt on his part togain information can be detected by Alice: the tradeoff between theinformation that Bob can obtain and his probability of being detected byAlice are essentially the same as in quantum cryptography (see, forexample, M. Christandl and A. Winter, IEEE Transactions on InformationTheory, 51:3159, 2005) as discussed below.

In particular, after the double exchange with Bob, Alice is inpossession of the two states 108 and 109, that is:

$\begin{matrix}{{{\psi_{1}\rangle} = {{j\rangle}_{Q}{A_{j}\rangle}_{R}\mspace{14mu} {and}}}{{\psi_{2}\rangle} = {\frac{1}{\sqrt{2}}\left( {{{j\rangle}_{Q}{A_{j}\rangle}_{R}} + {{0\rangle}_{Q}{A_{0}\rangle}_{R}}} \right)}}} & (3)\end{matrix}$

where A_(m) is the content of the mth record in the database. Alice canrecover the value of A_(j) by a measurement 110 of |ψ₁

. This value provides the answer 112 to her query, and can be used toconstruct a measurement 111 and 113 to test whether the second state isreally of the form |ψ₂

.

The measurement 111 and 113 yields two possible outcomes: the outcome“yes” if the received state is |ψ₂

and the outcome “no” if the received state is not |ψ₂

. In mathematical terms, this measurement is described by a two-valuedPositive Operator Valued measurement, such as that described in M. A.Nielsen and I. L. Chuang, Quantum Computation and Quantum Information,Cambridge University Press, Cambridge, 2000, which article isincorporated by reference in its entirety. Specifically, the POVmeasurement is composed by the projector on |ψ₂

and by the projector 1−|ψ₂

ψ₂| on the orthogonal subspace of |ψ₂

. If Alice obtains a result connected to the second element, 1−|ψ₂

ψ₂|, she can be certain that Bob has cheated. Therefore, thismeasurement is called the “honesty test” of Bob. If Bob is acquiringinformation on j, he will be perturbing the superposition state |ψ₂

and Alice has a nonzero probability of detecting this perturbation. Thisprobability is not unity (that is, Bob can avoid detection if he islucky), but no matter what he does, this probability will always bedifferent from zero and Bob will be discovered cheating sooner or later.The only assumption necessary is that the value A_(j) is uniquelydetermined by j, that is, that there cannot be two different answers toone query.

The simple protocol described above can be easily modified to increaseits performance. First of all, in place of the fixed superposition (|j

_(Q)+|0

_(Q))/√{square root over (2)}, Alice can employ any arbitrarysuperposition α|j

_(Q)+β|0

with complex amplitudes α and β unknown to Bob. In this way Bob'sability of masking his actions is greatly reduced. Alternatively, Alicecan submit her query by entangling the register Q with an ancillarysystem S she keeps with her while_sending Q to Bob. In this case theinput states given in equations (1) and (2) are replaced by the vectors:

|j

_(Q)|1

_(S)   (4) and

(|j

_(Q)|1

_(S)+|0

_(Q)|2

_(S))/√{square root over (2)}  (5)

with |1

_(S) and |2

_(S) being two orthogonal states of S. In this version of the protocolthe vectors (4) and (5) describe, respectively, the state of theregisters 105 and 106 of FIG. 1 and their (quantum) correlations withthe auxiliary ancilla S.

This modified protocol proceeds as described above. Alice sends the tworegisters in random order waiting for Bob answer before sending thesecond one. The associated outcomes are in this case:

$\begin{matrix}{{{\psi_{1}\rangle} = {{j\rangle}_{Q}{1\rangle}_{S}{A_{j}\rangle}_{R}\mspace{14mu} {and}}}{{\psi_{2}\rangle} = {\frac{1}{\sqrt{2}}\left( {{{j\rangle}_{Q}{1\rangle}_{S}{A_{j}\rangle}_{R}} + {{0\rangle}_{Q}{2\rangle}_{S}{A_{0}\rangle}_{R}}} \right)}}} & (6)\end{matrix}$

As in the previous case, Alice will use the vector |ψ₁

to recover the value of A_(j) and the vector |ψ₂

to test whether or not Bob has cheated. This second stage can again beaccomplished by performing a measurement that yields two possibleoutcomes: the outcome “yes” if the received state is |ψ₂

and the outcome “no” if the received state is not |ψ₂

. The corresponding measure is now a two-valued joint Positive OperatorValued measurement which acts on the systems Q, S and R and whichverifies whether or not the received state is the entangled state |ψ₂

(see M. A. Nielsen and I. L. Chuang, Quantum Computation and QuantumInformation, Cambridge University Press, Cambridge, 2000).

In a second embodiment shown in FIG. 2, instead of creating asuperposition with the rhetoric query |0

_(Q), Alice superimposes two (or more) different queries, as detailedbelow. In this protocol variant 200, in addition to the query j in whichAlice is interested, she randomly chooses another query 203 (say thek-th). Now she prepares three n-qubits registers 205 and 206 in thestate:

|j

_(Q), |k

_(Q,) and (|j

_(Q)+|k

_(Q))/√{square root over (2)}  (7)

As in the embodiment discussed previously, Alice sends the registers toBob in random order and one-by-one (that is, she waits for Bob's replybefore submitting the next register). Bob employs the registers in thequantum RAM 207. At the end of their exchange, if Bob has not cheated,Alice is in possession of the three states 208 and 209:

|j

_(Q)|A_(j)

_(R), |k

_(Q)|A_(k)

_(R) and (|j

_(Q)|A_(j)

_(R)+|k

_(Q)|A_(k)

_(R))/√{square root over (2)}  (8)

Alice then measures state 208, i.e. the first two, in order to find outthe values of A_(j) and A_(k): the former is the answer she was lookingfor 212, the latter will be used to prepare the measurement 211 and 213(see above) to test the third state to check the superposition. If thetest fails, she can conclude that Bob has cheated.

There are several different possible physical implementations for thesetwo variants of the protocol, and they are dependent on the physicalimplementation of the underlying quantum logic. As an illustrativeexample, one of the most promising quantum technologies for quantumcommunication is quantum optics, where qubits are encoded intopolarization degrees of freedom of photons. Alternatively, hybridstrategies can be considered where photons are used as informationcarriers in the communication lines and different technologies (such asquantum dots, NMR, trapped ions) are used for local quantum informationprocessing at Alice and Bob's sites.

In contrast to the classical strategies where Alice hides her queryamong randomly chosen ones, the security of the QPQ does not rest on theclassical randomness of the queries. However, this randomness is auseful resource also for QPQ because Alice can increase her probabilityof catching a cheating Bob by choosing a high number of random queriesin her superposition.

The user security of the protocol rests on two key features, namely, thefact that Alice is sending her queries in random order, and the factthat she is sending them one by one. The first feature prevents Bob fromknowing which kind of query (superposed or plain) he is receiving ateach time: otherwise he would just let the superposed queries through,and measure the plain ones, finding out j and evading detection. Thesecond feature prevents Bob from employing joint measurements on thequeries, which would allow him to find out the value of j because thesubspaces spanned by the joint states of Alice's queries are orthogonalfor different choices of j.

To discuss the user security of the protocol it is worth starting from asimple strategy that Bob could try to use cheat on Alice in the firstembodiment of the QPQ protocol (i.e. the one in which Alice adoptsequally weighted superpositions that involves the rhetoric query 0).Suppose, for instance, that Bob performs projective measurements on bothof Alice's queries. By doing so he will always recover the value of j.Moreover with probability ½, one of his two measurement results willreturn 0 in correspondence to Alice's superposed query. In this case,Bob's attempt at cheating is successful, as he can correctly re-prepareboth of Alice's queries. However, with probability ½, Bob gets j fromboth measurements, and it will be impossible for him to determine theorder of Alice's queries. In this case, no strategy of his has more than½ probability of passing Alice's test. In fact, this is the probabilitythat a state of the form |j

_(Q)|A_(j)

_(R) passes the test of being of the form (|j

_(Q)|A_(j)

_(R)+|0

_(Q)|A₀

_(R))/√{square root over (2)}.

If Bob uses this cheating strategy, Alice can find it out withprobability ¼ (this number can be easily increased using the modifiedQPQ protocols discussed above).

What if Bob employs a more sophisticated cheating strategy? Bob ispresented randomly with one among two possible scenarios (A or B)depending on which state Alice sends first. These scenarios refer to thefollowing joint states of her query:

|S _(A)

=|j

_(Q) ₁ (|j

_(Q) ₂ +|0

_(Q) ₂ )/√{square root over (2)} and |S _(B)

=(|j

_(Q) ₁ +|0

_(Q) ₁ |)j

_(Q) ₂ /√{square root over (2)}  (9)

where Q₁ and Q₂ are her first and second query. The failure of the abovecheating strategy stems from Bob's impossibility to determine whichscenario Alice is using. This is a common problem to all cheatingstrategies. It is related to the non-orthogonality of the states |S_(A)

and |S_(B)

, and to the limit posed by the timing of the protocol (to gain accessto Q₂, Bob must first respond to Q₁).

Working along these lines, it can be shown that Alice has a nonzeroprobability of discovering that Bob is cheating, whatever sophisticatedmethods he employs. More precisely, we follow a derivation which issimilar to that performed in M. Christandl and A. Winter, IEEETransactions on Information Theory, 51:3159, 2005. It can be shown thathis impossibility of performing joint measurements on Q₁ and Q₂ places abound on the information Bob obtains on j. Alice can enforce the privacyof her queries by requiring that Bob is never caught cheating.

More particularly, any action by Bob in response to Alice's two queriescan be described in terms of two unitary transformations U₁ and U₂. Thetransformation U₁ acts on the registers Q₁, R₁ and on an ancillarysystem B which is under Bob's control (this also includes his database).The transformation U₂ acts on Q₂, R₂ and B. If Bob is not cheating, U₁and U₂ are instances of the qRAM algorithm of Equation (15) below andthey coherently copy the information from the database to the Rregisters leaving the ancilla B in its initial state. If instead Bob ischeating, at the end of the communication the system B will becorrelated with the rest. In this case Alice's final state is themixture:

ρ_(l)≡Tr_(B)[U₂U₁|Ψ_(l)(j)

Ψ_(l)(j)|U₁ ⁺U₂ ⁺]  (10)

where the label

=A, B refers to the scenario used by Alice to submit her query j, andwhere |Ψ

(j

≡|S

_(Q) ₁ _(Q) ₂ |0

_(RB) is the corresponding input state (|0

_(RB) being the initial state of the registers R_(1,2) and of theancilla B). The probability 1−P

(j) that the state ρ

(j) supplied by Bob will pass Alice's test can be easily computed byconsidering its overlap with the states corresponding to the answer thata non-cheating Bob would provide. On Bob's side, the information I_(B)that he retains on the query is stored in the final state of the ancillaB, i.e.

σ

(j)≡Tr_(Q) ₁ _(Q) ₂ _(R) ₁ _(R) ₂ [U₂U₁|Ψ

(j)

Ψ

(j)|U₁ ⁺U₂ ⁺].   (11)

An information-disturbance trade-off (see M. A. Nielsen and I. L.Chuang, Quantum Computation and Quantum Information, CambridgeUniversity Press, Cambridge, 2000) can be obtained by noticing that if1−P

_((j)≈)1, then σ_(l)(j) must be independent from j. Specifically,requiring P

(j)≦ε for all

and j, one can show that 1−F(σ

(j), σ*)≦O(ε^(1/4)), where σ* is fixed state and F the fidelity (A.Uhlmann. Rep. Math. Phys., 9:273, 1976).

Therefore, in the limit of P

(j)→0 (that is, Bob passes the test with high probability), the stateshe retains are independent from the label j that identifies Alice'squery. This can also transformed into an upper bound on the mutualinformation I_(B) by evaluating the Holevo information (A. S. Holevo,Probabilistic and statistical aspects of quantum theory, North Holland,Amsterdam, 1982) associated to the ensemble {p_(j), σ(j)} wherep_(j)=1/N is the probability that Alice will send the j-th query, andwhere σ(j)=[σ_(A)(j)+σ_(B)(j)]/2 is the final state of B (from Bob'spoint of view), since Alice randomly chooses among the scenarios A and Bwith probability ½. By doing so it can be shown that I_(B)≦O(ε^(1/4)log₂N). Thus, Bob's information on Alice's query is upper bounded by theprobability of getting caught.

An important caveat is connected to the assumption that there cannot betwo different answers to one query. This must be kept in mind as it mayintroduce a possible cheating strategy by Bob in certain implementationsof the protocol, even though such strategies are not viable in the caseswe described, where the index j is the database record, and itunivocally determines the record's content A_(j). We will analyze herethe first variant of the protocol. In this case, the cheating strategyinvolves Bob adding an ancilla B and performing the followingtransformation during the first of Alice's two queries:

|j

_(Q)→└|j

_(Q)|A_(j) ⁽⁺⁾

_(R)(|0

_(B)+|j

_(B))+|j

_(Q)|A_(j) ⁽⁻⁾

_(R)(|0

_(B)−|j

_(B))┘/2   (12)

if the answer to the jth query admits the two answers A_(j) ⁽⁺⁾ andA_(j) ⁽⁻⁾, or |j

_(Q)→|j

_(Q)|A_(j)

_(R)|0

otherwise. During the second of Alice's queries Bob must then performthe following transformation:

|j

_(Q)(|0

_(B)±|j

_(B))/√{square root over (2)}→|j

_(Q)|A_(j) ^((⊥))

_(A)(|0

_(B)±|j

_(B))/√{square root over (2)}  (13)

or, if the answer to the jth query is unique, the transformation:

|j

_(Q)|ψ

_(B)→|j

_(Q)|A_(j)

_(A)|ψ

_(B)   (14)

for any state |ψ

_(B) of his ancilla. It can be easily shown that Alice cannot find outthat Bob has performed this transformation. Moreover, in the case inwhich the answer to the jth query is not unique, she still sees eitherA_(j) ⁽⁺⁾ or A_(j) ⁽⁻⁾ (with ½ probability) as answers to both herqueries. However, in this case Bob has retained a record of what wasasked, as he is left with the states |0

_(B)+|j

_(B) or |0

_(B)−|j

_(B) (depending on whether Alice found A_(j) ⁽⁺⁾ or A_(j) ⁽⁻⁾). Fromeither of these two states he has a probability of ½ to find out thevalue of j undetected. It is, therefore, important to utilize the QPQprotocol in situations where this cheating strategy is impossible, thatis, when the query j univocally determines Bob's answer A_(j).

For Bob to perform his part in the protocol, he must possess a quantumrandom access memory (qRAM) implementation (107 and 207 in FIGS. 1 and2, respectively), in order to interrogate his database while preservingcoherence (as shown in V. Giovannetti, S. Lloyd, and L. Maccone,Physical Review Letters, 100:160501, 2008; M. A. Nielsen and I. L.Chuang, Quantum Computation and Quantum Information. CambridgeUniversity Press, Cambridge, 2000). As shown in FIG. 3, the aim of theqRAM protocol is to read, in a memory array, a location specified by anindex register Q 301, and return the contents in a second register A307. The register Q may contain a quantum superposition of locationaddresses. The content of the n-qubit address-register Q is correlatedby a unitary transformation U 302 to the spatial position of a singlequbit, which acts as a data bus. This means that the binary encoding inthe quantum register is translated into a unary encoding on the locationof the bus qubit 303, which is thus into one of 2^(n) possible locations(or in more than one location in quantum superposition). Now the qubitlocally interacts with the memory cell array, and the addressingprocedure is reversed by running the binary-to-unary encoding U protocolbackwards (an “uncomputation” performed by U⁺ 305). This decorrelatesthe position of the bus qubit from the Q register (otherwise quantumcoherence would be destroyed). Its internal state contains the value ofthe memory cell (cells) that was to be read. Essentially, the qRAMalgorithm implements the transformation:

Σ_(j)α_(j)|j

_(Q)→Σ_(j)α_(j)|j

_(Q)|A_(j)

_(R)   (15)

where A_(j) is the content of the jth memory location, and α_(j) arearbitrary amplitudes. Conventional architectures are described in M. A.Nielsen and I. L. Chuang, Quantum Computation and Quantum Information,Cambridge University Press, Cambridge, 2000) to O(n). qRAM designs existin which the number of quantum logic operations to perform a call can bereduced from O(2^(n)) of conventional qRAM designs. See for example V.Giovannetti, S. Lloyd, and L. Maccone, Physical Review Letters,100:160501, 2008). Constructing a qRAM for quantum private queriesshould be significantly easier than constructing a large-scale quantumcomputer.

Because the qRAM described above can be complex to implement in certainsituations, a third embodiment employs the protocol underlying any ofthe two previously described embodiments, but does not need a qRAM. Thedrawback is that the communication cost is exponentially higher thanwhat can be achieved if a qRAM is present. In this embodiment, since Bobdoes not possess a qRAM, Alice prepares the superpositions of differentspatial modes that are necessary to interrogate the database. This, ofcourse, implies that the channel connecting Alice and Bob must sustainN=2^(n) modes. The protocol proceeds exactly as discussed above (in anyone of the two previous variants). However, the encoding of informationand the database interrogation must follow a different strategy.

FIG. 4 illustrates the protocol. Each of the possible queries isconnected to a different mode 403 of an electromagnetic field. Alice 401prepares her query by populating a selected mode. This can be done byinserting a single photon (or any analogous information carrier) in theselected mode. As described above, she also needs to performsuperpositions of queries. In this case, she prepares a quantumsuperposition 402 of the photon populating different modes. The photontravels to Bob 404, who performs the global photon number measurement G405. It returns the total number of photons in the N modes, withoutrevealing which modes are populated. If the measurement tells him thatthere is more than one photon, he knows that Alice is trying to breachthe data privacy: she is allowed a single query (or superposition ofqueries) at each time. In this case, Bob refuses to serve her bybouncing the signal back to her, without interrogating his database.Alice can still verify that Bob has not read her query, but, as she hadcheated, she does not receive any answer to her query. Alternatively, ifBob's G measurement tells him that there is a single photon in the Nmodes, he will let such photon interact with his database stored in thememory array 406. The content of the memory cells are coherently copiedinto some internal degree of freedom of the information carrier (forexample, the photon's polarization). He then reflects the photon back toAlice, who can conclude her protocol, in the manner describedpreviously.

Notice that, if data privacy is not an issue, Bob's global measurement G405 may be removed. In this case, Alice may recover the whole database,since Alice and Bob are connected by a channel that can sustain N=2^(n)information carriers at a

There are a variety of different techniques that can be used toimplement the modes that connect Alice and Bob. For example, they canuse different spatial modes of the electromagnetic field or differenttime-bins in a single spatial mode. In the latter case, the database isencoded into a time-dependent single memory cell.

While the invention has been shown and described with reference to anumber of embodiments thereof, it will be recognized by those skilled inthe art that various changes in form and detail may be made hereinwithout departing from the spirit and scope of the invention as definedby the appended claims.

1. A method for querying a database implemented with a quantum randomaccess memory, the method ensuring complete data privacy and allowing auser to determine whether the database provider has been trying toobtain information about a query and comprising: (a) preparing by theuser a first register containing a desired query and a second registercontaining the quantum superposition of the desired query with anotherquery; (b) selecting at random one of the first and second registers andpresenting the selected register to the database provider; (c) receivinga first response to the register selected in step (b) and sending theregister not selected in step (b) to the database provider; (d)receiving a second response to the register sent in step (c); (e)measuring the response to the register containing the desired query toobtain an answer to the query; and (f) measuring the response to theregister containing the superposition to determine whether the databaseprovider has been trying to obtain information about the desired query.2. The method of claim 1 wherein the other query is a fixed referencequery.
 3. The method of claim 1 wherein the other query is a randomquery.
 4. The method of claim 1 wherein the quantum superposition is afixed superposition.
 5. The method of claim 1 wherein the quantumsuperposition is an arbitrary superposition.
 6. The method of claim 1wherein step (f) comprises performing a two-valued Positive OperatorValued measurement on the response to the register containing thesuperposition and the answer to the query to determine whether thesuperposition state has been perturbed.
 7. The method of claim 1 whereinstep (a) comprises entangling the first register with an ancillarysystem kept by the user.
 8. The method of claim 7 wherein step (f)comprises performing a joint Positive Operator Valued measurement on theresponse to the register containing the superposition, the answer to thequery and the ancillary system to determine whether the superpositionstate has been perturbed.
 10. A method for querying a database connectedto a user by a channel having a plurality of modes, each of which isassociated with a query on the database, the method allowing a user todetermine whether the database provider has been trying to obtaininformation about a query and comprising: (a) transmitting a first queryto the database by performing at random one of the actions consisting ofpopulating a mode corresponding to a desired query with an informationcarrier and populating a plurality of modes corresponding to the desiredquery and another query with a quantum superposition of the informationcarrier; (b) receiving a first response to the first query andtransmitting a second query to the database by performing the action notperformed in step (a); (c) receiving a second response to the secondquery transmitted in step (b); (d) measuring the response to the desiredquery to obtain an answer to the query; and (e) measuring the responseto the query corresponding to the superposition to determine whether thedatabase provider has been trying to obtain information about thedesired query.
 11. The method of claim 10 wherein the database providerin response to receiving the query transmitted in step (a) performs aglobal information carrier measurement over the plurality of modes todetermine the number of information carriers in the modes and disallowsaccess to the database if the result of the global information carriermeasurement is greater than one.
 12. The method of claim 10 wherein theother query is a fixed reference query.
 13. The method of claim 10wherein the other query is a random query.
 14. The method of claim 10wherein the quantum superposition is a fixed superposition.
 15. Themethod of claim 10 wherein the quantum superposition is an arbitrarysuperposition.
 16. The method of claim 10 wherein step (e) comprisesperforming a two-valued Positive Operator Valued measurement on theresponse to the query containing the superposition and the answer to thequery to determine whether the superposition state has been perturbed.17. The method of claim 10 wherein step (a) comprises entangling thedesired query with an ancillary system kept by the user.
 18. The methodof claim 17 wherein step (e) comprises performing a joint PositiveOperator Valued measurement on the response to the query containing thesuperposition, the answer to the query and the ancillary system todetermine whether the superposition state has been perturbed.